CloudFormation – 3 – User data, cfn

User Data in EC2 for CloudFormation

  • We can have user data at EC2 instance launch through the console
  • We can also include it in CloudFormation
  • The important thing to pass is the entire script through the function Fn::Base64
  • Good to know: user data script log is in /var/log/cloud-init-output.log

Let’s see how to do this in CloudFormation. We have such an yml file:



Next -> Create stack

After the EC2 instance has been created we can check the public DNS address of the EC2 and go to that adress in the browser:

We can connect to the EC2 through SSH and check the output of user data:


cfn init

  • AWS::CloudFormation::Init must be in the Metadata of a resource
  • With the cfn-init script, it helps make complex EC2 configurations readable
  • The EC2 instance will query the CloudFormation service to get init data
  • Logs go to /var/log/cfn-init.log

Consider such a tamplate:

Cfn init is more readable way to install packages and modify the files on the system than user data way.

Let’s create a CfnInitExample stack:

Next ->

Next -> Create stack

Now we can go to the url of the new EC2 instance:

Now let’s ssh to the EC2 instance:


All the logs:

If we need troubleshot:


cfn signal & wait conditions

  • We still don’t know how to tell CloudFormation that the EC2 instance got properly configured after a cfn-init
  • For this, we can use the cfn-signal script!
    • We run cfn-signal right after cfn-init
    • Tell CloudFormation service to keep on going or fail
  • We need to define WaitCondition:
    • Block the template until it receives a signal from cfn-signal
    • We attach a CreationPolicy (also works on EC2, ASG)

Consider such a tamplate:

Using this template let’s create a stack:

Next -> Create stack


cfn-signal failures troubleshooting

Wait Condition Didn’t Receive the Required Number of Signals from an Amazon EC2 Instance

  • Ensure that the AMI you’re using has the AWS CloudFormation helper scripts installed. If the AMI doesn’t include the helper scripts, you can also cownload them to your instance.
  • Verify that the cfn-init & cfn-signal command was successfully run on the instance. You can view logs, such as /var/log/cloud-init.log or /var/log/cfn-init.log, to help you debug the instance launch.
  • You can retrieve the logs by logging in to your instance, but you must disable rollback on failure or else AWS-CloudFormation deletes the instance after your stack fails to create.
  • Verify that the instance has a connection to the Internet. If the instance is in a VPC, the instance should be able to connect to the Internet through a NAT device if it’s is in a private subnet or through an Internet gateway if it’s in a public subnet
  • For example, run: curl -I

Consider a following yml tamplate:


will exit with error 1. 1 is bad exit code, good is 0.  This will directly trigger cfn-init failure.

Let’s create a stack:


Next -> Create stack

And we see “Failed to receive 1 resource signal(s) within the specified duration

As the result all the stack has been roll backed.